Auditing Your Payment Card (Debit, Credit & Prepaid) Processes, Systems and Applications: A Practical PCI-DSS Compliant Audit Program for Issuers, Card Brands, Acquirers, Processors & Switches

Despite investment made by businesses that process, store, transmit and access cardholder information in the area of security, data breaches have continued to occur in a disturbing scale leading to loss of funds by cardholders, financial institutions and insurance companies. Players in the payment cards ecosystem such as the card brands (American Express®, Discover®, JCB, MasterCard®, VISA®, Union Pay® and Verve®), card issuers, terminal owners/acquirers, processors and payment switches have suffered losses and reputational damages due to inadequate security controls, process flaws as well as poor monitoring and oversight by those who are saddled with the responsibility to do so. Where vulnerabilities are left unaddressed, chances are that fraudsters and attackers could exploit them to their advantage. As the cyber security space evolves, fraudsters and attackers have continued to change their techniques of committing cyber crimes to maintain an edge. Credit, debit and prepaid card data have been stolen from unsuspecting cardholders through various scheming and fraudulent means. Personal Identification Number (PIN) information associated with credit and debit cards that serve as the last point of defense for chip cards has been stolen and used to commit fraud. Concerned businesses have failed to comply with relevant information security and control standards such as Payment Card Industry Data Security Standard (PCI DSS), Payment Applications Data Security Standard (PADSS), ISO 27001 and ISO 22301 as best practices. The objective of this practical guide is to offer the reader a step by step guide on how to carry out the audit/review of the payment cards processes, systems and applications to provide reasonable assurance to stakeholders (management, investors and regulators) on the adequacy and effectiveness of controls in the payment cards processes and systems. Businesses that process, store, transmit and access cardholder information as a matter of corporate governance and regulation perform audit of the payment cards processes, systems and applications in a defined cycle. However, the personnel (Information Systems Auditors, Information Security Practitioners, IT Risk Managers, Card Product Managers, CIO, CISO, CTO) carrying this audit burden have sometimes fallen short in their responsibilities with its attendant impact on the confidentiality, integrity and availability of cardholder information. This book will close this gap by showing the reader how to carry out the audit testing as well as control failures/vulnerabilities to look out for in the area of payment card policies, processes, applications, databases, change management, redundancy and data backup, vendor management and third party services, encryption key management, terminal security, network security, vulnerability management, operating systems security, credit card portfolio management, card operations (priming, production, stocking & distribution), instant card issuance, re-issuance among others. The primary audience is the general public and operational stakeholders (IT security managers, IT risk managers, IT managers, business managers and IT auditors) who are responsible for developing, implementing, operating, managing or reviewing the controls, technology and processes that are required to secure the system and comply with relevant industry standards (PCIDSS, PADSS, ISO 27001).